2023-03-06 13:08:05 ET
Zscaler, Inc. (ZS)
Morgan Stanley Technology, Media & Telecom Conference
March 6, 2023 11:00 a.m. ET
Company Participants
Jay Chaudhry - Chairman, Founder, and Chief Executive Officer
Remo Canessa - Chief Financial Officer
Conference Call Participants
Hamza Fodderwala - Morgan Stanley
Presentation
Hamza Fodderwala
All right. Well, good morning, everybody. My name is Hamza Fodderwala; I am the U.S. cybersecurity analyst, here at Morgan Stanley. And welcome to the 2023 Morgan Stanley TMT conference. I'm sure it's going to be a great week. To kick things off, we have the team of Zscaler. We have the pleasure of having Jay Chaudhry, CEO, Chairman, and Founder, as well as Remo Canessa, the CFO of Zscaler. And before I begin, for informed disclosure, please see the Morgan Stanley research disclosure Web site at www.morganstanley.com/researchdisclosures. I'm going to have to say that a thousand times this week.
Well, welcome, gentlemen. Thank you so much for being here. Maybe I just wanted to start off levels, that you guys reported earnings last week.
Question-and-Answer Session
Q - Hamza Fodderwala
I was wondering if you'd just quickly recap the results, what is sort of the state of the union in terms of overall macro demand picture, what were some of the positives, and perhaps some of the challenges coming the quarter?
Jay Chaudhry
Right. I'll start, and Remo, you can add on. Yes, macro is getting [probably true] (ph), there's more scrutiny. But overall, if you look at from revenue or sales point of view, you think of two things. Number one, due to tight environment, is there enough demand? Generally, hard times make demand soft. We are seeing very high degree engagement with our customers. Now why is that? That's because, number one, all CIOs, CSOs do care about cyber. Cyber interest is not going down. Number two, if CIOs understand that they can save money, reduce cost, they're willing to engage. It's because of these two reasons we see good demand, we've seen a record pipeline.
The second part is, great you've got pipeline, can you close the business, because that's where excess scrutiny comes in. Yes, three, four quarters ago, a CIO could get the deal done. More and more deals do go to CFO for approval. Now, we the two things we do in that area that help us, number one, Zscaler has always been selling to C level because we are transformational. Traditional appliances, firewalls have been bought at the technical level. We started at the CIO level, not even CSO, CIO level. That helps us because there's only one more level to go to.
Number two, there's a lot of push on business justification. About six years ago, we started a team for business value assessment. That team has grown, it does a good job. So, being able to do these two things is helping us actually do good business. Remo?
Remo Canessa
Yes. I mean, from, basically, our call last week, we beat on revenue significantly, and also operating profitability. We're at the high end of the range of billings. We increased our guidance for the full-year, as well as increased our guidance both on billings -- or billings revenue and also operating profitability. We did announce a 3% restructuring, about 200 employees. Over the last 18 months, we've doubled the size of the company. So, basically just increasing efficiency throughout the company, we decided to take out a [couple hundred] (ph) employees.
Hamza Fodderwala
Got it. So, you guys have been a disruptor in network security market and sort of pioneer in the move towards SASE and Zero Trust Network Access. One of the things that you talked about was customer cutting deals into phases. One of the things we think about with SASE is, while important, while it's a cost saver, it is a transformational sale. So, are you seeing some pushback on that front that's along in a deal cycle further saying, "Hey, this is something I want to do, but right now, perhaps, I want to conserve cash," especially as people return to the office and will likely remain in a hybrid model for the foreseeable future?
Jay Chaudhry
So, the world has been hybrid for a long, long time. Zscaler is not about just cloud. In the Zscaler world, with a zero trust architecture, your application could be sitting in the datacenter, in Azure, AWS, wherever, it doesn't matter. Users could be sitting in the office or at home. So, sometimes people have a misconception. Their hybrid means legacy firewalls and VPN; absolutely wrong understanding. Now, it is true that during COVID, you had to work from home. So, only option of working in the office was not a good option. But if you really think about the security part, there have been two models for security. Protecting servers and datacenter has traditionally been done by firewalls.
The user security when users need to access application has been done using a proxy architecture and you must be familiar with some of the names, the Blue Coats and McAfees, and Ciscos of the world. We basically started to disrupt the user protection. Quite often people think that we compete directly with firewalls. Not true. Firewalls were designed to protect servers. Now, it is true that firewall vendors are getting nervous that, with the cloud, the role of firewalls will disappear. Where will you create modes, all over? You can't. So, they're trying to pivot and say, "I can do what Zscaler does." Well, not quite. To do what we do you need to be literally a switchboard with a proxy architecture. That's the opposite of a firewall architecture.
Architecture is like the foundation of the building. If you have a foundation to build a two-story building, you can't build a 10-story building on top of it unless you fix the architecture. The easiest thing for legacy vendors is to say, "I can do it because it kind of put some bolts around things." I believe that it's because of our architecture difference we will maintain the lead. You may hear a lot of noise overall, but eventually the architecture wins, and our architecture is designed for on-prem, off-prem, no matter where things go. So, we don't see a negative impact of people staying in a mixed environment, we think it's positive, actually.
Hamza Fodderwala
Okay. So, let's talk about the competitive angle, because that's obviously a bigger topic again these days. There are a lot more SASE and ZTNA vendors than there were, let's say, two years ago or at least companies that purport to be SASE vendors, right? Has that in any way impacted Zscaler's win rates compared to one or two years ago?
Jay Chaudhry
So, if you think about what we started out, we started out with a disruptive architecture. Technology incrementally changes all the time. But disrupt architecture change happens every 20 to 30 years, okay. And I think SASE has become a buzzword, even Zero Trust has become a buzzword. But overall, the notion was don't put people own the network correct the right party to right party. And that's what we pioneered. Now, you can kind of equate some of these things in the other markets. I have talked about how Siebel software dominated the space, then Salesforce came with a different architecture. Who won the day? The architecture.
Let's even talk about cloud. You know where cloud started out earlier? VMware could spin VMs in the cloud and should be really the best hyperscalers. Early on, it felt that VMware would do very well. But guess what, when AWS built the Cloud Native architecture to do this stuff, AWS got a significant lead. We think our architecture will help us win it. While firewall vendors will come from behind, they'll all claim cloud. Blue Coat tried to do the same thing. They spun up their proxy in the cloud, it wasn't the right architecture. So, from market point of view, when it comes to high end of the market we do extremely well. Those companies understand it.
You've seen a lot of these large deals we end up announcing. We literally have no real competition. When you come down market some time, the understanding of technology may not be as clear. And we see a bunch of competition there. And that's where a networking company may be bundling a router and switch, and firewall in some of the other stuff. And we have been expanding our presence there. Once we engage, we went.
Hamza Fodderwala
Okay. So, it sounds like, high end, there's no change in win rates as far as you can see. Is the incremental competition, at the very least, slowing down the sales cycle because now there's more vendors to evaluate?
Jay Chaudhry
On the higher end, I don't think competition is slowing us down. On the higher end, there is impact of approvals and extra scrutiny. So, some of the deals you want to get done, they may take longer.
Hamza Fodderwala
Got it.
Remo Canessa
So, our pipeline is a record pipeline. And you're right, I mean the scrutiny is higher, as Jay mentioned. We're seeing that. We took that into account with our guidance. So, over the last couple quarters we've seen, basically, deal cycles taking a little bit longer. And so, for our guidance going out into the second-half, we've put a little more conservatism on our close rates.
Hamza Fodderwala
Got it. I want to talk a little bit about the 3% workforce reduction. Jay, I think at another conference earlier this year, the comment you made was that, yes, like things are slowing down but we're not going to overly pivot, right? You're still hiring?
Jay Chaudhry
Yes.
Hamza Fodderwala
You still want to be aggressive. And then, six to eight weeks later we had the announcement there. So, just walk me through the thought process behind that?
Jay Chaudhry
Yes, so, in the past 18 months, we doubled the company's size. We went from about 3,000 to 6,000 employees. And as we do know that some of the things are slowing down. But also when you double in 18 months, there are some level of optimization you need. There is some level of roles, get [big and party] (ph), what's the right word? You end up adding you shouldn't be adding. We are not slowing down our core engineering. We're not slowing down our product development; we're not slowing down our core sales function. What we've done in this area, for example, you don't need a large recruiting team when you are slowing down your hiring. So, G&A was one part.
While core sales is important, sometimes there are a bunch of supporting function for sales that end up beefing up. So, those are some of the changes we made. We expect to keep on hiring in selected areas, like core sales and core engineering. And we expect our headcount to be higher by the end of the year. So, we have full -- we're bullish about the long-term opportunity. We will keep on hiring, but making sure we don't add extra stuff that's not needed for the business.
Hamza Fodderwala
Okay, got it. So, consolidation is a big theme these days. Can you talk a little bit about how Zscaler is aiding in that? And what are the major cost savings that you do get when you deploy Zscaler?
Jay Chaudhry
Yes. So, cost saving is a very important factor in today's market. If you look at various vendors out there, especially in the security space, most vendors and customers know that security is not typically about either cost saving or generating more revenue, it is actually a cost. Take most of the areas, endpoint identity, where would you save cost? Not a whole lot of stock. In the Zscaler world, we actually bring cost savings not from a bunch of security point products removal but also from the network side of it. Once you have Zscaler as a switchboard, it does everything your typical DMZ what's known as demilitarized zone does. A typical DMZ may be sitting with dozens and dozens of boxes. All you need in the Zscaler world is you need something on the endpoint for security. You need identity. And we as a switchboard, we connect the right party to right party. And we work over any network.
There's a network savings. There are savings on network performance monitoring tools. There are savings from proxies, DLP. Essentially, most of the firewalls go away. The only area firewalls remain is in the datacenter because datacenter is still pretty cluttered and complicated. Outside that, the simplification, the savings are significant. We actually quantify the savings. And now our customers are actually asking us to make sure we can do a quarterly deployment -- quarterly savings type of model which is helping us.
Hamza Fodderwala
Got it. Federal is an area where you talk a lot of about in terms of seeing more opportunity. There has been a lot of initiatives briefly announced by the Biden administration on that front. And you have multiple products that are FedRAMP certified. But, I think in your most recent quarter you talked about how that business was a little bit slower than you expected. Just comment on that and what you are seeing in terms of the pipeline ahead.
Jay Chaudhry
I will start. Remo, then you can add on the financial picture of it. We started investing in the federal market about four or five years ago knowing that you do need some of the critical certifications on FedRAMP, then StateRAMP to win this business. Today, we have the most certifications at the highest level as compared to any vendor. In fact, if you look at certification the highest level in the entire IP ecosystem, there are about six companies that are there. We are the only cyber company in that space. Who else are there? It's folks like AWS. It's IBM who have been there in the business for a long, long time. So, first of all it's good to be in that unique group of people who have full certifications.
When it comes to business, we had a strong Q1 in February. Q2 was lighter. But the rest of the outlook for the second-half of the year is strong. You know federal business can be lumpy. Bigger deals, they go up and down. And also, as you know that these budgets last year you may have heard about these continuous resolutions that delayed funding till March. This time, I think got done in December - January. It had some impact on it, but we have a strong pipeline. We have strong team. We are bullish about this business. Yes.
Remo Canessa
The budget approvals were approved in December. So, we did not see a strong Q2. But, we do expect to see a very strong second-half. We are well-positioned. As Jay mentioned, I pipeline is outstanding and growing with the FedRAMP certifications that we have. We have the highest in the industry. We are in a really good position. Yes, if I may make two more comments. Twelve of the 15 cabinet-level agencies are Zscaler customers. Now they all started small. But it's a big opportunity for us to grow that business. Some of the most sophisticated security agency like CISA that actually mandate security is a Zscaler customer. We have a Public Cyber Summit this Wednesday in Washington, D.C. We have got a number of CIOs of some of the top agencies presenting how they have done transformation. Over 700 people have registered for the event.
Hamza Fodderwala
Got it, got it. So, I wanted to go back to sort of the SASE market and sort of defining the SASE market. I think there is a lot of different definitions out there. So, if I think about SASE, does it have to be a cloud-delivered service through Zscaler sort of proxy architecture? Or, is there some combination of both cloud-based and physical elements whether that be firewall or SD-WAN for securing the WAN Edge for example, which is not going away anytime soon. So, just talk a little bit about the state of hybrid SASE today.
Jay Chaudhry
Yes. So, two separate points, there is nobody saying you must be cloud-based service only or on-prem only. It's the architecture that matters. Today, when we talk about Edge Cloud, we talk about taking the Cloud to the Edge to on-prem in many, many cases. So, the issue is not on-prem or Cloud, issue is architecture, what's the biggest problem with network security today. In a network security, architecture was designed in late 80s, early 90s. At the time, the notion was, you get on the network by connecting to the network in your office. Once you're on the network, you're like getting on Highway 80 here, you can reach Miami, New York or Dallas without hitting a single light, wonderful. But bad guys can do the same thing. Once you get on the network, the firewall is creating a trusted network, and everything else is untrusted.
This model worked very well, when everything was in your data center, and your branches connect to the data center, you control everything. The biggest change is that your applications are anywhere and everywhere, users are everywhere. The old model of firewall based security, you extend your network to every household, every office, everything that's connected to Highway, have you been reading or ran some weird attacks? Why are they happening? It's all because of firewall based architecture, you get on the network, you move laterally, you find high value applications, you encrypt them.
The foundation to fix that is Zero Trust Architecture, which says, do the opposite of what firewalls do. Do not connect people to the network. Be a switchboard like a phone switchboard? What does phone switch do, you get connected to a Party A, Party B, Party C, that has to be done. It's unfortunate that with this disruptive architecture, legacy firewall vendors are so worried that the hijack [indiscernible] that telling the world I got Zero Trust, well, I got Zero Trust 4.0, 5.0. I understand what they are trying to do to protect themselves, but it is a disservice because when country and companies need to protect themselves, it creates a false sense of security, but I believe that this message will carry on for so long. Eventually reality will catch up. And companies the right architecture will prevail.
Hamza Fodderwala
Okay, so your competitors are saying SASE is about the convergence of security and networking. Zscaler is saying the opposite. And but is there some aspect of additional complexity in that you have to go out or network to another edge to do the security processing with Zscaler versus where the firewalls can provide security within networking, as well as for remote users as well?
Jay Chaudhry
So, firewalls were never designed to protect users, my friends, they're designed to protect servers, the proxy architecture designed to protect users because the market realize that you must be able to terminate and go, it's the wrong thing to think that firewalls will do user security, okay. Good thing is firewall guys are adding more and more stuff on the same architecture. I think in the long run, it won't work. In the old world, without cloud, you could ship a box and it's customer's responsibility to make it work. The wall, the cloud, you need to take all this traffic and handle it. There are all kinds of issues you need to deal with. And when traffic is coming from all kinds of locations, you hear us talk about amount of traffic, amount of transactions we are handling around IPO timeframe, Remo and I used to talk about 30 billion transaction we do every day. That was a big number. Today, that number is approaching 300 billion. How do you handle that traffic? Have you heard these legacy vendors talk about traffic? Is that how much of a shelfware as a part of EL and how much is real, real traffic for real customers?
Hamza Fodderwala
No more questions about firewall. Okay, so that's the transaction is a good segue to the next question. So, I think Zscaler processes over 270 billion transactions daily through their Zero Trust exchange, and they're deployed on millions of clients. How do you see AI change the threat landscape? And how do you think Zscaler can leverage that data to be better equipped for this growing opportunity and threat?
Jay Chaudhry
For AI/ML, data is fundamental. It's about to 270, 280 billion logs every day. And these are not little firewall logs. These are proxy full logs with full information. You need expertise, you need data and AI/ML apply to it can figure things out. Now there is something called network effect or cloud effect, when you've got so much traffic coming to you, AI/ML is allowing you actually to analyze the stuff. Look for some other threats, you couldn't find otherwise, we are already actually doing some of that. And it's giving us far better cybersecurity than most of the other vendors offer because in an appliance-based architecture, you would, you design this thing for each appliance. And then, in a batch fashion, you try to bring the traffic back to correlate, then they do AL/ML probably yes. Do they have the real logs? No.
Can they do it in short amount of time? No. These are some of the things that are setting us apart the many, many use cases of AI/ML to help our customers. One other example I'll give you is, in the firewall and networking world, you put people on the network. They have access to all kinds of applications. In the Zero Plus walls, you want the right party to access only right applications, you got 50,000 employees, you got 10,000 applications, which employee should have access to which applications, no one knows. But once they start going through Zscaler architecture, we find the logs, we apply AI/ML engine to suggest the customer that the users should access these applications. This is a kind of cool stuff we can do by leveraging all the logs we collect because of our architecture.
Hamza Fodderwala
Got it. So, ZIA, that's still the majority of the business. You talked a little earlier about how you're not competing directly with the firewall, is there still a big sort of replacement opportunity with a lot of the legacy secure web gateway out there? So how much of the opportunity is still replacement versus Greenfield within ZIA, because I think Blue Coat at its peak had maybe about 20,000 customers or $1 billion installed base. So, is there still a big replacement opportunity there?
Jay Chaudhry
So, I know in the high end, Blue Coat had 85% of Fortune 500 company, an impressive number that they publicly talked about, and that's because they built a best proxy architecture that others couldn't build. So, I think those customers understand us, they come to us, I do not know exactly how much the mark is left. But I can tell you one thing, every quarter as we close deals, any ZIA deal in my top 30, 40 deals is probably 80% comes from Blue Coat replacement, and probably a few from McAfee, few from Cisco. It's the companies who understand the proxy architecture on the high end to do very well. I keep on wondering, "When will this end?" There's a lot of Blue Coat sitting out there. So, these are some of the biggest banks are still sitting on it. So, a couple data points, there's 20,000 companies with greater than 2,000 employees, we've got about 2,000 of those companies. So, basically, that's 10% penetration in the market. In addition, related to what we can sell to our installed base just for ZIA and ZPA, there's a 6x opportunity. And so, in the market size, we'd look at it as $72 billion market, both for users, and also for workloads.
So, huge market opportunity, very early stage, and the ability to sell a lot into our installed base, and couple other products I mentioned is just like we disrupted, the user security with ZIA, ZPA, now we have the same technology available for workloads, workloads, eventually, we'll have no firewalls. They go to Internet to ZIA, they talk to each other through ZPA technology. That's what we call it Zero Trust workloads, big opportunity for us. Data protection is still an early stage market, we got very comprehensive data protection technology, which really requires a proxy architecture, a lot of Symantec want to products deployed in large enterprises, now we replace -- beginning to replace them in significant numbers. That's another opportunity. And also the net performance, Zscaler digital experience designed actually to give you end-to-end performance. We really have no competition in that space, there'll be many points of entry. And you can start from one side and expand to other areas.
Remo Canessa
And important all those products are in the same stack, [VDRCP] (ph), they are all built around the same core platform. Okay? If we buy something, we buy a future kind of early stage product, but we are not a Cluj of many companies that are bought and they are on dissimilar platforms.
Hamza Fodderwala
Got it. We have a few minutes left, just want to open up to the audience for any questions. Anyone or do I, do hand raise. Okay, I can continue. I wanted to talk a little bit about M&A. So, Zscaler has just about $2 billion of cash. You just announced and acquisition of Canonic Security. Talk a little bit about that. And just your thoughts about buy versus build going forward.
Jay Chaudhry
Yes. Canonic acquisition extends our data protection portfolio to the next level within SSPM, SaaS Security Posture Management. This is the next leg of cyber supply chain. If you sales force is into [indiscernible] SaaS application, how safe are they? It's kind of our thought leadership. We have always done newer stuff long before others. And those are areas we look at. We have done smart acquisition. We did browser isolation, integrate the platform, made it very easy to single kit deployment. And I think you will keep on seeing us doing smart selected acquisitions. They are not really done for roll up of revenues. We are doing them for key technology where we can get to market and save 10 to 12 months rather than wait.
Hamza Fodderwala
Got it. Remo, I get to the last question. I'm going to have to end it with stock-based comp and a very [sterling] (ph) topic these days. So, the stock-based comp for Zscaler did uptick quite a bit last couple of years. I think at peak it was about 40% of revenue. Now, it's in the 30s, low 30s. How do you see that trending as a percentage of sales over the next couple of years?
Remo Canessa
Yes. You can keep on seeing it trending down. So, you will see stock-based comp. And what happens is when you are a company going public, stock is a big piece or component of your compensation. As you get bigger for all companies that declines. So, it's a natural thing. So, I would expect stock-based compensation -- it was 29% this last quarter. It will be substantially lower this year versus last year in fiscal '23 versus fiscal '22. You will see it continually going down on a year-over-year basis.
Hamza Fodderwala
All right.
Jay Chaudhry
If I may?
Hamza Fodderwala
Okay, go ahead.
Jay Chaudhry
Closing comment, do you want to add anything on stock-based comp? Architecture always wins. You can't go and keep on buying a bunch of companies and win. You have seen the history of how companies with disruptive architecture that executed well, they win. We think we are doing the same kind of stuff.
Hamza Fodderwala
All right. Thank you very much, Jay and Remo.
Jay Chaudhry
Thank you very much.
Remo Canessa
Thanks everybody.
Hamza Fodderwala
Thank you.
For further details see:
Zscaler, Inc. (ZS) Presents at Morgan Stanley Technology, Media & Telecom Conference (Transcript)